IT security must include medical devices

Other related

Healthcare providers need to pay attention to the growing security threat of unsecured medical devices. That is the view of Michael Kanarellis, IT assurance senior manager for public accounting and business consulting firm Wolf & Company.

“It’s the forgotten part of information security within healthcare and it’s becoming a threat,” he said. “It’s important to make sure that your medical devices are integrated properly into your network and secure. If you look at a standard community hospital in the US you’re talking between 3,000 and 5,000 medical devices within the hospital and many of them hold personal patient information.

“Whether they’re a dialysis pump, an infusion pump or a heart rate monitor you need to make sure they are secure because most are connected to the network. We’ve been doing a number of projects at large healthcare facilities incorporating the medical devices within our review. A lot of people haven’t thought about it, and hackers or people who are looking to do harm are seeing this as the next step.”

Kanarellis said there is a disconnect because medical devices are not typically under the control of the core IT department; they are usually under a clinical engineering department and the clinical engineering departments often do not have the security background and are not thinking of security as they deploy these devices.

“Again it’s a risk management approach; a risk analysis of your medical devices needs to be conducted. First perform an accurate inventory and determine what information is stored on each device and second make sure that the proper security controls are in place,” he said. “It’s definitely an area healthcare security professionals need to be concentrating on.”